Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Installation/Configuration
Reload this Page ISPConfit 2 fail2ban problem with dovecot
Register FAQ Members List Social Groups Calendar Search Today's Posts Mark Forums Read

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 12th April 2012, 19:43
andron26 andron26 is offline
Member
  
Join Date: Mar 2007
Posts: 52
Thanks: 6
Thanked 1 Time in 1 Post
Default ISPConfit 2 fail2ban problem with dovecot
Hi,

I've installed latest ISPConfig 2 on fedora 15 with perfect setup.
In ISPC I've turned off firewall.

Trying to configure fail2ban to block failed logins to dovecot server.

dovecot.conf in filter.d folder:

[Definition]
failregex = (?: pop3-login|imap_login ): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(auth failed|Disconnected).*rip=(<HOST>),.*
ignoreregex =

dovecot part in jail.conf

[dovecot-pop3imap]
enabled = true
filter = dovecot
action = iptables-multiport[name=dovecot-pop3imap, port="110,143,995,993,25,465,587"]
logpath = /var/log/maillog
maxretry = 5
findtime = 600
bantime = 3600

Ssh failed attempts are blocked, but dovecot not.
I've stucked. What could be wrong?
If I run fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/dovecot.conf:
Running tests
=============

Use regex file : /etc/fail2ban/filter.d/dovecot.conf
Use log file : /var/log/maillog


Results
=======

Failregex
|- Regular expressions:
| [1] (?: pop3-login|imap_login ): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(auth failed|Disconnected).*rip=(<HOST>),.*
|
`- Number of matches:
[1] 22528 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Addresses found:
[1]
173.192.142.34 (Sun Apr 08 06:58:42 2012)
173.192.142.34 (Sun Apr 08 06:58:42 2012)
173.192.142.34 (Sun Apr 08 06:58:42 2012)
173.192.142.34 (Sun Apr 08 06:58:47 2012)
173.192.142.34 (Sun Apr 08 06:58:47 2012)
173.192.142.34 (Sun Apr 08 06:58:47 2012)
173.192.142.34 (Sun Apr 08 06:58:52 2012)
210.26.5.2 (Thu Apr 12 18:27:40 2012)
210.26.5.2 (Thu Apr 12 18:27:52 2012)
210.26.5.2 (Thu Apr 12 18:27:52 2012)
210.26.5.2 (Thu Apr 12 18:30:40 2012)
210.26.5.2 (Thu Apr 12 18:30:52 2012)
210.26.5.2 (Thu Apr 12 18:30:52 2012)

Date template hits:
63317 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>

Success, the total number of match is 22528

However, look at the above section 'Running tests' which could contain important
information.
Reply With Quote
Sponsored Links
  #2  
Old 13th April 2012, 16:38
falko falko is offline
Super Moderator
  
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,685
Thanks: 1,899
Thanked 2,599 Times in 2,448 Posts
Default
Did you restart fail2ban?

What's in /var/log/maillog when there's a failed Dovecot login attempt?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 14th April 2012, 18:05
andron26 andron26 is offline
Member
  
Join Date: Mar 2007
Posts: 52
Thanks: 6
Thanked 1 Time in 1 Post
Default
Yes, I've restarted fail2ban.
SSH rule works and proftpd too.
Log:


Apr 8 07:11:17 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<gopher>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..83
Apr 8 07:11:21 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..82
Apr 8 07:11:21 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..81
Apr 8 07:11:21 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..83
Apr 8 07:11:25 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..81
Apr 8 07:11:25 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..82
Apr 8 07:11:25 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..83
Apr 8 07:11:29 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..81
Apr 8 07:11:29 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..82
Apr 8 07:11:29 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..83
Apr 8 07:11:33 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..83
Apr 8 07:11:33 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..81
Last edited by andron26; 14th April 2012 at 18:08.
Reply With Quote
Reply

Bookmarks

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Hybrid Mode Hybrid Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Courier Imap is not working HellMind General 5 12th April 2012 01:04
dovecot start problem veneficus Installation/Configuration 3 10th April 2012 17:39
ISPConfig3 won't start after update Cracklefish Installation/Configuration 15 28th February 2012 14:11
Dovecot fails to deliver to all mail clients zwelabantu Server Operation 8 26th June 2009 12:17
Dovecot fails to deliver to all mail clients zwelabantu Installation/Configuration 3 19th June 2009 16:57


All times are GMT +2. The time now is 10:49.

Contact Us - HowtoForge - Linux Howtos and Tutorials - Archive - Top

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2013, vBulletin Solutions, Inc.